RTLO (right to left override) technique for file extension spoofing U+202e

RTLO (right to left override) technique for file extension spoofing

Step-by-Step Guide

U+202E 2017-03-27 10-34-50

  1. Open Windows Character Map Tool (Start, Run, Charmap)
  2. Go to Unicode 202E: Right-To-Left Override
  3. Click Select and then Copy
  4. Edit a file name and just before the . Paste here. (Example, notepad.exe notepad[202E].exe
  5. Then type in the file extension your require.
    1. doc=cod
    2. pdf=fdp
  6. User Resource Hacker to change the ICON (http://www.angusj.com/resourcehacker/)

Self Extracting and Executing archive SFX

Software

 Method

  1. Email encrypted self extracting SFX file that is a .SCR VbScript with file name that looks like a PDF using 202E which then executes DLL to download payload and executes in users admin area.

Essentially, the file’s actual name can be something like “Awesome Song uploaded by [U+202e]3pm.SCR”. The special character forces Windows to display the end of the file’s name in reverse, so the file’s name will appear as “Awesome Song uploaded by RCS.mp3”. However, it’s not an MP3 file – it’s an SCR file and it will be executed if you double-click it. (See below for more types of dangerous file extensions.)

Method 1: Universal

This method works regardless of any of your language settings, but is the most cumbersome to type.

  1. Press and hold down the Alt key.
  2. Press the + (plus) key on the numeric keypad.
  3. Type the hexidecimal unicode value.
  4. Release the Alt key.

Alas, this appears to require a registry setting. It was already set on my computer, but some readers report that this method didn’t work for them, and this is probably why. If you don’t know what the registry is, please don’t try this. Under HKEY_Current_User/Control Panel/Input Method, set EnableHexNumpad to “1”. If you have to add it, set the type to be REG_SZ.

Method 2: Input-language Specific

This method depends on the specific input language you are using.

  1. Press and hold down the Alt key.
  2. Type 0 (zero) and the decimal unicode value on the numeric keypad.
  3. Release the Alt key.

You can see which input language you are using (and which are installed) by:

  1. Start Menu
  2. Settings
  3. Control Panel
  4. Regional and Language Options
  5. Languages tab
  6. Detail button

The entries in the Unicode character information section are using the Windows Latin 1 input language.

Method 3: Code-page Specific

This method depends on the specific code page you have installed.

  1. Press and hold down the Alt key.
  2. Type the decimal codepage value on the numeric keypad. Do not type any leading zeros.
  3. Release the Alt key.

You can see which code page you have by typing chcp at a command prompt. Check the grid for your code page from the list of known code pages to see what characters you can enter this way.

The entries in the Unicode character information section are using code page 437.

Method 4: Application-specific

Applications can support their own methods. These are not standardized.

Several Microsoft applications, including WordPad and Microsoft Word:
press Alt-X after typing some hex digits. You see the digits as you type them, and they’re replaced by the Unicode equivalent. Pressing Alt-X again converts it back to numbers.

Method 5: Unicode IME

Microsoft has a Unicode Input Method ?Editor? that works the same way my UnicodeInput pop-up does, but with LeftAlt Shift as the trigger key.

Michael Kaplan, a Microsoft i18n guru, has the details on how the Unicode IME works. Some notes to fill in some details that he assumes:

  • Go into Control Panel -> Regional Settings, on the languages tab, enable support for East Asian languages. This takes 230 MB of disk space and a restart.
  • Go back into Control Panel -> Regional Settings, on the languages tab, press the Details button.
  • Add Chinese (Taiwan) (Others would probably work too) and choose Chinese (Traditional) - Unicode.
  • You will now have an extra do-hickey in the taskbar showing which language you’re in.
  • Press LeftAlt Shift to switch into the IME (taskbar shows CH).
  • Type the hex digits of the Unicode character. As soon as you type the last one, it is sent to the application.
  • Press LeftAlt Shift to switch out of the IME (taskbar shows your original language code).

Tips

  • Fonts – you must have a font that contains the character. It seems obvious, but Windows can’t display characters it doesn’t know about. Often, you will need to select the font yourself, since only a few applications are smart enough to switch fonts automatically.
  • WordPad – works, but you have to have it set to a font that contains the character. Method 4 ([hex][AltX]) seems to switch to an appropriate font automatically.
  • Notepad – generally doesn’t work since its font doesn’t support many characters.
  • Internet Explorer – in the URL bar, the universal method doesn’t work if it has A-F, since it opens the menu (i.e. Alt-F opens the File menu).
  • Mozilla Firebird – works correctly (if you have a font that supports it). Note that if you type it on a page that is is using a charset that doesn’t support it, it will not be transmitted to the website correctly.

References

  • The Alt+NumPad entry in Microsoft’s Global Windows Glossary
  • Windows XP docs that inexcusably don’t mention the universal variation.
  • Discussion on GeorgeHernandez.com (search for “2005-04-24”) – discussion of the various problems with someone who did some real work to figure out what works and doesn’t. He also has a Unicode shortcuts page that summarizes his findings (quite similar to this page, but with more detail).
  • Wikipedia article Unicode_input with some Mac and Linux tips.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s